Hello,
recently we moved our users database to LDAP server, but after that sftp stops
working on our students server.
We use:
- OpenLDAP 2.4.21
- nss_ldap-1.265_3
- pam_ldap-1.8.5
- FreeBSD 9.0-CURRENT amd64
When I use sftp, it drops the connection:
{volt}-{~}% sftp localhost
Connecting to localhost...
Connection closed
{volt}-{~}%
After short investigation, I've found that problem is in
/usr/libexec/sftp-server program (which is our default subsystem in sshd):
{volt}-{~}% /usr/libexec/sftp-server
No user found for uid 5567
{volt}-{~}%
what was quite weird, because sshd works perfectly with users from LDAP server
(so I assume that PAM is configured correctly).
After that, I've tried to make a simple test with program below:
=======================
#include <sys/types.h>
#include <pwd.h>
#include <stdarg.h>
#include <stdio.h>
#include <unistd.h>
int
main(int argc, char **argv)
{
struct passwd *user_pw;
user_pw = getpwuid(getuid());
if ((user_pw = getpwuid(getuid())) == NULL) {
fprintf(stderr, "No user found for uid %lu\n",
(u_long)getuid());
return 1;
} else {
fprintf(stderr, "It works %s!\nYour uid is: %lu\n",
user_pw->pw_name,
(u_long)getuid());
}
return 0;
}
=======================
which is almost copy-pasted from /usr/src/crypto/openssh/sftp-server-main.c
I've build it twice. Once with dynamic linking:
{volt}-{~}% cc -o test test.c
{volt}-{~}% ./test
It works bulinskp!
Your uid is: 5567
{volt}-{~}%
another one with static linking:
{volt}-{~}% cc -o test -static test.c
{volt}-{~}% ./test
No user found for uid 5567
{volt}-{~}%
As you can see, it works great with dynamic linking, but if it's build with
static linking it can't get user information from LDAP database.
Could you be so kind and help me better understand this problem and find some
solution for it (I spend some time trying to find it, but this is probably
beyond my scope)?
I would be really appreciate for any tip.
Below are information about my PAM and NSS configuration:
{volt}-{~}% cat /etc/nsswitch.conf | grep passwd
passwd: files ldap
{volt}-{~}%
{volt}-{~}% cat /etc/pam.d/sshd | grep -v "^#" | grep -v "^$"
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth requisite /usr/local/lib/pam_af.so debug
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
account required pam_nologin.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so no_warn
ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
session required pam_permit.so
session sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass
password required pam_unix.so no_warn try_first_pass
{volt}-{~}%
regards
--
Piotr Buliński
Informatyka na Wydziale Elektrycznym
Politechnika Warszawska
